Group-Admin Escalation to Realm-Admin
Summary
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover. Red Hat severity: Important — CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N). Weakness: CWE-639. Fixed by RHSA-2026:30050, RHSA-2026:30049, RHSA-2026:30084, RHSA-2026:30083 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat build of Keycloak 26.4; Red Hat build of Keycloak 26.4.13; Red Hat build of Keycloak 26.6; Red Hat build of Keycloak 26.6.4.
- rhbk/keycloak-operator-bundle:26.4.13-1
- rhbk/keycloak-rhel9-operator:26.4-19
- rhbk/keycloak-rhel9
- rhbk/keycloak-rhel9:26.6-8
- rhbk/keycloak-rhel9:26.4-19
- rhbk/keycloak-operator-bundle:26.6.4-2
- rhbk/keycloak-rhel9-operator:26.6-8
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- rhbk/keycloak-operator-bundle:26.4.13-1
- rhbk/keycloak-rhel9:26.4-19
- rhbk/keycloak-rhel9-operator:26.4-19
- rhbk/keycloak-rhel9
- rhbk/keycloak-operator-bundle:26.6.4-2
- rhbk/keycloak-rhel9:26.6-8
- rhbk/keycloak-rhel9-operator:26.6-8
- RHSA-2026:30050
- RHSA-2026:30049
- RHSA-2026:30084
- RHSA-2026:30083
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.